VL::RESULT VL::Hiding::HideModule(HMODULE hMod)
{
PPEB_LDR_DATA pPMI;
PLDR_MODULE pMIN;
unsigned int moduleSize = 0;
// fetch process module info from peb
_asm {
mov eax,dword ptr fs:[0x18]
mov eax,dword ptr ds:[eax+0x30]
mov eax,dword ptr ds:[eax+0x0c]
mov pPMI,eax
}
// search for module
pMIN = (PLDR_MODULE)(pPMI->InLoadOrderModuleList.Flink);
while (pMIN->BaseAddress && pMIN->BaseAddress != hMod) {
pMIN = (PLDR_MODULE)(pMIN->LoadOrder.Flink);
}
if (!pMIN->BaseAddress) {
return LogError(ERR_HIDING_NOTFOUND);
}
// remove module entrys from linked lists
pMIN->LoadOrder.Blink->Flink = pMIN->LoadOrder.Flink;
pMIN->LoadOrder.Flink->Blink = pMIN->LoadOrder.Blink;
pMIN->InitOrder.Blink->Flink = pMIN->InitOrder.Flink;
pMIN->InitOrder.Flink->Blink = pMIN->InitOrder.Blink;
pMIN->MemoryOrder.Blink->Flink = pMIN->MemoryOrder.Flink;
pMIN->MemoryOrder.Flink->Blink = pMIN->MemoryOrder.Blink;
pMIN->HashTable.Blink->Flink = pMIN->HashTable.Flink;
pMIN->HashTable.Flink->Blink = pMIN->HashTable.Blink;
// erase module name
memset(pMIN->FullPath.Buffer, 0, pMIN->FullPath.Length);
// erase unused mapped file headers from memory
DWORD dwOldProtection;
VirtualProtect(pMIN->BaseAddress, 0x1000, PAGE_EXECUTE_READWRITE, &dwOldProtection);
memset((void*)pMIN->BaseAddress, 0, 0x1000);
VirtualProtect(pMIN->BaseAddress, 0x1000, dwOldProtection, NULL);
// erase module info node
memset(pMIN, 0, sizeof(pMIN));
return ERR_SUCCESS;
}
0 Response to "Hide Modul c++"
Posting Komentar